: How to tell Apache to reply with 403 instead of 401? We have some rules for a subtree of Locations, which involve Require-ing ldap-group and exprs. The user is duly challenged to supply login-credentials,

We have some rules for a subtree of Locations, which involve Require-ing ldap-group and exprs.

The user is duly challenged to supply login-credentials, which are verified.

However, even when the credentials are correct and the access is denied due to other reasons (such as belonging to a wrong group or coming from an incorrect IP-address), the server's response is always 401 -- instead of 403.

As a result, the browsers keep prompting users to "try again"... Can I tell Apache (2.4) to use 403, if the information supplied in the Authorization-header checks-out, and it is some other rule, that rejects the request?

10.01% popularity Vote Up Vote Down

: Google Analytics filter with OR operator I need to build a Google Analytics filter that includes all traffic from a selection of subdirectories, in my case all that start with customer and company.

@LarsenBagley505

Posted in: #GoogleAnalytics

1 Comments

: What factors affect how fast HTML5 videos will start playing? If I host videos on my server and include them as HTML5 video in a webpage, what factors affect how fast they will start playing?

@LarsenBagley505

Posted in: #Html5 #Video #VideoHosting

1 Comments

: What's the deal with this free hosting service? A free webhosting service I am researching offers - free hosting. What's the catch? Sexy cPanel, fast loads. For free. What's the deal here?

@LarsenBagley505

Posted in: #WebHosting

1 Comments

: SEO for former company site that becomes landing page for group of companies? I'm about to restructure the website of a company called Example. Example used to be a company that only had one

@LarsenBagley505

Posted in: #LandingPage #Seo

1 Comments

Login to post a comment!

1 Comments

Sorted by latest first Latest Oldest Best

@Michele947

(Posting a copy of my answer on Server Fault, per OP's request.)

I think what you want is AuthzSendForbiddenOnFailure:

AuthzSendForbiddenOnFailure On

Context: directory, .htaccess

If authentication succeeds but authorization fails, Apache HTTPD will respond with an HTTP response code of '401 UNAUTHORIZED' by default. This usually causes browsers to display the password dialogue to the user again, which is not wanted in all situations. AuthzSendForbiddenOnFailure allows to change the response code to '403 FORBIDDEN'.

Note that it carries a security warning:

Security Warning

Modifying the response in case of missing authorization weakens the security of the password, because it reveals to a possible attacker, that his guessed password was right.

10% popularity Vote Up Vote Down

Feed

: How to tell Apache to reply with 403 instead of 401? We have some rules for a subtree of Locations, which involve Require-ing ldap-group and exprs. The user is duly challenged to supply login-credentials,

More posts by @LarsenBagley505

: Google Analytics filter with OR operator I need to build a Google Analytics filter that includes all traffic from a selection of subdirectories, in my case all that start with customer and company.

: What factors affect how fast HTML5 videos will start playing? If I host videos on my server and include them as HTML5 video in a webpage, what factors affect how fast they will start playing?

: What's the deal with this free hosting service? A free webhosting service I am researching offers - free hosting. What's the catch? Sexy cPanel, fast loads. For free. What's the deal here?

: SEO for former company site that becomes landing page for group of companies? I'm about to restructure the website of a company called Example. Example used to be a company that only had one

Login to post a comment!

1 Comments

Back to top | Use Dark Theme